Browser cookies: A Breach of Privacy?

Published on 3 March 2021 at 13:56

Today, before you opened this article, you probably clicked « accept cookies » and then didn’t get cookies. With disappointment on your face,  you probably wondered: what the hell are cookies?


Cookies are a piece of data, like a username and password, stored by web browsers to identify your computer using a computer network, therefore identify specific users. 


Users are given a choice as to cookies. The processing of their data is allowed by their consent. Such consent legitimises the existence of cookies as against the General Data Protection Regulation. Such tracking technologies are also justified by their aim: bettering the service being provided to users by personalising it. As long as the processing is informed and consented to, it formally doesn’t breach online privacy.


Cookies track who visits sites frequently to supposedly make their experience smoother as they track how users browse websites. They are meant to, I quote: “improve your browsing experience on our site, show personalized content and targeted ads, analyse site traffic, and understand where our audiences come from”.


Cookies can record how long each user spends on each page of a site, what links they are clicking. They were designed to be a reliable mechanism for websites to remember « stateful information », information requiring persistent storage, such as items added in the shopping cart, to remember pieces of information that the user previously entered, such as passwords.


Typically, authentication cookies are used by web servers to know whether the user is logged in or not, and through which account. After having required the user to authenticate themselves, the site can then disclose sensitive information. 


Security depends on the issuing website and the web browser, and on encryption of the cookie data. Indeed, hackers use cookies to gain access to user data, or to access with the user's credentials the website.


Tracking cookies are used to keep records of individuals' browsing histories, which is a huge threat to online privacy. Indeed, under the GDRP, websites targeting EU member states need "informed consent" from users before storing ‘non-essential’ cookies. These are cookies which, in terms of processing, aren’t crucial to the service being provided.


Cookies can be read by intermediaries, like Wi-Fi hotspot providers. So, it is better to use the browser anonymously. This breach of online privacy by extension allows tracking in real life.


The two governing European legislations dealing with data regulation and online privacy didn’t impede cookies. These are the General Data Protection Regulation (GDPR) enacted in May 2018, and the ePrivacy Directive, updated in 2009. 


There are first-party cookies placed by the site you visit, and then third-party cookies, placed by advertisers to serve you targeted ads. Ads follow you around the internet though.


By allowing to process personal data of European data subjects, because consented to, the GDRP ended up allowing breaches of online privacy through cookies.


However, concerning digital privacy, is asking users for consent really the answer? 


Asking to opt in or opt out might not be good enough for data protection. Also, often the website won’t really let you the option to reject all cookies. The user won’t be able to read the page whatsoever. Really, the issue is as to who should own the data and be responsible for protecting it. In Europe, controllers, processors and data protection officers intervene.


The GDPR promotes lawfulness, fairness and transparency concerning the processing of personal data.  It was initially supposed to inform European data subjects as to the use of their personal data and have a say in it. Transparency is a key principle of the regulation. It is meant to make sure users are aware of the data that companies collect about them and why, and to give them a chance to consent to sharing it. 


European users can access their personal data and object to its processing. They can have it deleted, rectified or completed and control access and use of it. Under 15 of the Regulation, data subjects ought to know the purposes of the processing, the recipients of their data, the period for which it will be stored, and the existence of automated decision-making, including profiling. They must be able to complain and restrict such processing.


Essentially the discrepancy between what the GDPR promotes in theory and what it hasn’t prevented in practice, third-party cookies, is based on the fact that companies can process data as long as they get consent or have a “legitimate interest” according to regulators.


The other governing regulation in the matter, the European ePrivacy Directive, has also allowed for such cookies to invade our screens. This directive provides for guidelines regarding tracking, confidentiality, and monitoring online. Being a directive, its implementation is handled by member states and differs from country to country. 


It is argued that the GDPR and the European ePrivacy Directive actually triggered such online privacy breaches by allowing cookies. However, there is no consensus as to whether cookie comply with European law. Indeed, the Dutch data protection agency claims these do not comply with the GDPR because they are a ‘price of entry’ to a website. 


In other words, when you don’t pay actual money to access a website, the disclosure of your data is the price you pay.


Some consider as an alternative ratings system, to point out to users, privacy friendly websites. However, bias could step according to who sets those standards and what they should be. Big websites could easily pay off the relevant authorities to have good grading. 


Essentially, the GDPR has not been enforced and people mostly don’t read or understand privacy policies or cookie policies. 


In that sense, any attempt to obtain consent from users loses all meaning and actually acts against them, allowing their data to be used against them by third-parties.

Add comment


There are no comments yet.